Update policy.html

.github/labeler.yml

@@ -73,6 +73,12 @@ product/nginxaas:
           - 'content/nginxaas-azure/**'
           - 'content/includes/nginxaas-azure/**'
 
+product/nic:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'content/nic/**'
+          - 'content/includes/nic/**'
+
 product/nim:
   - changed-files:
       - any-glob-to-any-file:

.gitignore

@@ -1,7 +1,8 @@
 # See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
 **/.DS_Store
 
-# dependencies
+# Log files
+*.log
 
 # testing
 /coverage

content/includes/nap-waf/policy.html

@@ -2849,13 +2849,13 @@ <h2 id="policy/ip-address-lists">ip-address-lists</h2>
 <td><dl>
 <dt>Specifies how the system responds to blocking requests sent from this IP address list.</dt>
 <dd><ul>
-<li><strong>Policy Default:</strong> Specifies that the Policy Blocking Settings will be used for requests from this IP address list.</li>
+<li><strong>Policy Default:</strong> Specifies that the policy enforcementMode will be used for requests from this IP address list.</li>
 <li><strong>Never Block:</strong> Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.</li>
 <li><strong>Always Block:</strong> Specifies that the system blocks requests sent from this IP address list.</li>
 </ul>
 </dd>
 </dl>
-<p>Optional</p></td>
+<p>Optional, if absent Policy Default is used.</p></td>
 <td><ul>
 <li>always</li>
 <li>never</li>
@@ -2871,13 +2871,13 @@ <h2 id="policy/ip-address-lists">ip-address-lists</h2>
 <tr class="odd">
 <td><a href="#policy/ip-address-lists/ipAddresses">ipAddresses</a></td>
 <td>array of objects</td>
-<td>Specifies the IP addresses.</td>
+<td>Specifies the IP addresses. Use CIDR notation for subnet definition.</td>
 <td></td>
 </tr>
 <tr class="even">
 <td><code>matchOrder</code></td>
 <td>integer</td>
-<td>Specifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder.</td>
+<td>Specifies the order matching index between different IP Address Lists. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Lists with a lower matchOrder will be checked for a match prior to items with higher matchOrder.</td>
 <td></td>
 </tr>
 <tr class="odd">
@@ -2889,13 +2889,13 @@ <h2 id="policy/ip-address-lists">ip-address-lists</h2>
 <tr class="even">
 <td><code>neverLogRequests</code></td>
 <td>boolean</td>
-<td>Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic.</td>
+<td>Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic. Optional, if absent default value is false.</td>
 <td></td>
 </tr>
 <tr class="odd">
 <td><code>setGeolocation</code></td>
 <td>string</td>
-<td>Specifies a geolocation to be associated for this IP address list. Optional</td>
+<td>Specifies a geolocation to be associated for this IP address list. This will force the IP addresses in the list to be considered as though they are in that geolocation. This applies to blocking via "disallowed-geolocations" and to logging. Optional</td>
 <td></td>
 </tr>
 </tbody>
@@ -2920,7 +2920,7 @@ <h3 id="policy/ip-address-lists/ipAddresses">ipAddresses</h3>
 <tr class="odd">
 <td><code>ipAddress</code></td>
 <td>string</td>
-<td></td>
+<td>Specifies the IP address. Use CIDR notation for subnet definition.</td>
 <td></td>
 </tr>
 </tbody>
@@ -3605,7 +3605,7 @@ <h2 id="policy/override-rules">override-rules</h2>
 <p>Request Attributes:</p>
 <blockquote>
 <ul>
-<li><strong>clientIp</strong>: Client IP address in canonical IPv4 or IPv6 format. Use CIDR notation for subnet definition. Example: <em>192.168.1.2</em> or <em>fd00:1::/48</em>. If <em>trustXff</em> (X-Forwarded-For) is enabled in the containing policy, then the value is taken from the configured header (XFF or other). The only supported boolean function for the clientIP attribute is <em>matches</em>.</li>
+<li><strong>clientIp</strong>: Client IP address in canonical IPv4 or IPv6 format or ip-address-list. Use CIDR notation for subnet definition. Example: <em>192.168.1.2</em> or <em>fd00:1::/48</em>. If <em>trustXff</em> (X-Forwarded-For) is enabled in the containing policy, then the value is taken from the configured header (XFF or other). The only supported boolean function for the clientIP attribute is <em>matches</em>.</li>
 <li><strong>host</strong>: The value of the Host header</li>
 <li><strong>method</strong>: The HTTP method in the request</li>
 <li><strong>uri</strong>: The URI (path part) of the request</li>
@@ -3616,7 +3616,7 @@ <h2 id="policy/override-rules">override-rules</h2>
 <li><strong>headers['&lt;name&gt;']</strong>: (map-type) The value of the specified header name. Example: "headers['Accept'].startsWith('application')"</li>
 </ul>
 </blockquote>
-<p><strong>Note</strong>: The "headers['&lt;name&gt;']" attribute does not support 'Cookie' as a header name.</p></td>
+<p><strong>Note</strong>: The "headers['&lt;name&gt;']" attribute does not support 'Cookie' as a header name. Attribute "clientIp" supports using "ipAddressLists" in condition: "clientIp.matches(ipAddressLists['<name>'])</p></td>
 <td></td>
 </tr>
 <tr class="odd">

content/nic/configuration/global-configuration/configmap-resource.md

@@ -2,9 +2,9 @@
 title: ConfigMap resources
 weight: 300
 toc: true
-type: how-to
-product: NIC
-docs: DOCS-586
+nd-content-type: how-to
+nd-product: NIC
+nd-docs: DOCS-586
 ---
 
 When using F5 NGINX Ingress Controller, you can customize or fine tune NGINX behavior using ConfigMap resources. Examples include setting the number of worker processes or customizing the access log format.
@@ -171,7 +171,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 {{<bootstrap-table "table table-striped table-bordered table-responsive">}}
 |ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| --- |
-|*lb-method* | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify *"round_robin"*. | *"random two least_conn"* |  |
+|*lb-method* | Sets the [load balancing method]({{< ref "/nginx/admin-guide/load-balancer/http-load-balancer.md#choosing-a-load-balancing-method" >}}). To use the round-robin method, specify *"round_robin"*. | *"random two least_conn"* |  |
 |*max-fails* | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the *server* directive. | *1* |  |
 |*upstream-zone-size* | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | *256k* for NGINX, *512k* for NGINX Plus  |  |
 |*fail-timeout* | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the *server* directive. | *10s* |  |
@@ -182,7 +182,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 
 ### Zone Sync
 
-Zone Sync enables the [ngx_stream_zone_sync_module](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html) in NGINX Ingress Controller when NGINX Plus is used.  Multiple replicas are required to effectively utililise this functionality. More information is available in the [How NGINX Plus Performs Zone Synchronization](https://docs.nginx.com/nginx/admin-guide/high-availability/zone_sync_details/) topic.
+Zone Sync enables the [ngx_stream_zone_sync_module](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html) in NGINX Ingress Controller when NGINX Plus is used.  Multiple replicas are required to effectively utililise this functionality. More information is available in the [How NGINX Plus Performs Zone Synchronization]({{< ref "/nginx/admin-guide/high-availability/zone_sync_details.md" >}}) topic.
 
 Zone synchronization with TLS for NGINX Ingress Controller is not yet available with ConfigMap. If you would like to enable Zone Sync with TLS, please remove `zone-sync` from ConfigMap and add Zone Sync parameters via [`stream-snippets`]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-snippets.md" >}}) similar to [this example](https://github.com/nginx/kubernetes-ingress/blob/v4.0.1/examples/custom-resources/oidc/nginx-config.yaml) and adding the [zone_sync_ssl directive](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_ssl) along with any other TLS parameters to the `stream-snippets`. 
 
@@ -217,10 +217,10 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic
 |*location-snippets* | Sets a custom snippet in location context. | N/A |  |
 |*server-snippets* | Sets a custom snippet in server context. | N/A |  |
 |*stream-snippets* | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/tcp-udp). |
-|*main-template* | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
-|*ingress-template* | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
-|*virtualserver-template* | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
-|*transportserver-template* | Sets the NGINX configuration template for a TransportServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
+|*main-template* | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates]({{< ref "/nic/configuration/global-configuration/custom-templates.md" >}}). |
+|*ingress-template* | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates]({{< ref "/nic/configuration/global-configuration/custom-templates.md" >}}). |
+|*virtualserver-template* | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates]({{< ref "/nic/configuration/global-configuration/custom-templates.md" >}}). |
+|*transportserver-template* | Sets the NGINX configuration template for a TransportServer resource. | By default the template is read from the file on the container. | [Custom Templates]({{< ref "/nic/configuration/global-configuration/custom-templates.md" >}}) |
 {{</bootstrap-table>}}
 
 ---

content/nic/configuration/global-configuration/globalconfiguration-resource.md

@@ -17,7 +17,7 @@ Listeners are required by [TransportServer resources]({{< ref "/nic/configuratio
 
 ## Prerequisites
 
-When [installing NGINX Ingress Controller using Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}), you need to reference a GlobalConfiguration resource in the [`-global-configuration`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-global-configuration) command-line argument. NGINX Ingress Controller only needs one GlobalConfiguration resource.
+When [installing NGINX Ingress Controller using Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}), you need to reference a GlobalConfiguration resource in the [`-global-configuration`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-global-configuration" >}}) command-line argument. NGINX Ingress Controller only needs one GlobalConfiguration resource.
 
 ---
 
@@ -71,7 +71,7 @@ The `listeners:` key defines a listener (a combination of a protocol and a port)
 |Field | Description | Type | Required |
 | ---| ---| ---| --- |
 | *name* | The name of the listener. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``listener-123`` are valid. The name must be unique among all listeners. The name ``tls-passthrough`` is reserved for the built-in TLS Passthrough listener and cannot be used. | *string* | Yes |
-| *port* | The port of the listener. The port must fall into the range ``1..65535`` with the following exceptions: ``80``, ``443``, the [status port](/nginx-ingress-controller/logging-and-monitoring/status-page), the [Prometheus metrics port](/nginx-ingress-controller/logging-and-monitoring/prometheus). Among all listeners, only a single combination of a port-protocol is allowed. | *int* | Yes |
+| *port* | The port of the listener. The port must fall into the range ``1..65535`` with the following exceptions: ``80``, ``443``, the [status port]({{< ref "/nic/logging-and-monitoring/status-page.md" >}}), the [Prometheus metrics port]({{< ref "/nic/logging-and-monitoring/prometheus.md" >}}). Among all listeners, only a single combination of a port-protocol is allowed. | *int* | Yes |
 | *protocol* | The protocol of the listener. Supported values: ``TCP``, ``UDP`` and ``HTTP``. | *string* | Yes |
 | *ssl* | Configures the listener with SSL. This is currently only supported for ``HTTP`` listeners. Default value is ``false`` | *bool* | No |
 | *ipv4* | Specifies the IPv4 address to listen on. | *string* | No |

content/nic/configuration/global-configuration/reporting-resources-status.md

@@ -1,10 +1,10 @@
 ---
-docs: DOCS-589
-doctypes:
-- ''
 title: Reporting resource status
 toc: true
 weight: 600
+nd-content-type: how-to
+nd-product: NIC
+nd-docs: DOCS-589
 ---
 
 This page describes how to view the status of resources managed by F5 NGINX Ingress Controller.
@@ -30,7 +30,7 @@ NGINX Ingress Controller must be configured to report an Ingress status:
     1. A user defined address, specified in the `external-status-address` ConfigMap key.
     1. A Service of the type LoadBalancer configured with an external IP or address and specified by the `-external-service` command-line flag.
 
-View the [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource) and [Command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments) topics for more information.
+View the [ConfigMap keys]({{< ref "/nic/configuration/global-configuration/configmap-resource.md" >}}) and [Command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md" >}}) topics for more information.
 
 {{< note >}} NGINX Ingress Controller does not clear the status of Ingress resources when it is being shut down. {{< /note >}}
 
@@ -113,7 +113,7 @@ NGINX Ingress Controller must be configured to report a VirtualServer or Virtual
     1. A user defined address, specified in the `external-status-address` ConfigMap key.
     1. A Service of the type LoadBalancer configured with an external IP or address and specified by the `-external-service` command-line flag.
 
-View the [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource) and [Command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments) topics for more information.
+View the [ConfigMap keys]({{< ref "/nic/configuration/global-configuration/configmap-resource.md" >}}) and [Command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md" >}}) topics for more information.
 
 {{< note >}} NGINX Ingress Controller does not clear the status of VirtualServer and VirtualServerRoute resources when it is being shut down. {{< /note >}}